Create mayhem-for-api-analysis.yml

2024-11-22 21:55:29 +00:00 · 2021-10-14 21:18:29 +03:00 · 2021-10-14 21:18:29 +03:00 · 3ec239d13c
commit 3ec239d13c
parent f1f79c1aac
1 changed files with 66 additions and 0 deletions
--- a/.github/workflows/mayhem-for-api-analysis.yml
+++ b/.github/workflows/mayhem-for-api-analysis.yml
@ -0,0 +1,66 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+#
+# This workflow starts your API and fuzzes it with ForAllSecure Mayhem for API
+# to find reliability, performance and security issues before they reach
+# production.
+#
+# To use this workflow, you will need to:
+#
+# 1. Create a Mayhem for API account at
+#    https://mayhem4api.forallsecure.com/signup
+#
+# 2. Create a service account token `mapi organization service-account create
+#    <org-name> <service-account-name>`
+#
+# 3. Add the service account token as a secret in GitHub called "MAPI_TOKEN"
+#
+# 4. Update the "Start your API" step to run your API in the background before
+#    starting the Mayhem for API scan, and update the `api-url` & `api-spec`
+#    field.
+#
+# If you have any questions, please contact us at mayhem4api@forallsecure.com
+
+name: "Mayhem for API"
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ main ]
+
+jobs:
+  mayhem-for-api:
+    name: Mayhem for API
+    # Mayhem for API runs on linux, mac and windows
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    steps:
+      - uses: actions/checkout@v2
+
+      # Run your API in the background. Ideally, the API would run in debug
+      # mode & send stacktraces back on "500 Internal Server Error" responses
+      # (don't do this in production though!)
+      - name: Start your API
+        run: ./run_your_api.sh & # <- ✏️ update this
+
+      - name: Mayhem for API
+        uses: ForAllSecure/mapi-action@193b709971cc377675e33284aecbf9229853e010
+        continue-on-error: true
+        with:
+          mapi-token: ${{ secrets.MAPI_TOKEN }}
+          api-url: http://localhost:8080 # <- ✏️ update this
+          api-spec: http://localhost:8080/openapi.json # <- ✏️ update this
+          duration: 60
+          sarif-report: mapi.sarif
+
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v1
+        with:
+          sarif_file: mapi.sarif